DNSSEC Keys and Zone Management

Ref: https://learn.cantrill.io/courses/2022818/lectures/45637093

YouTube: https://www.youtube.com/watch?v=4qlIim15xwM

ZSK and RRSIG records

🔧 Every DNS zone has a Zone Signing Key (ZSK) pair
- Private ZSK: kept safe (offline)
  - used to sign RRSETs in the zone
- Public ZSK: kept inside the zone's DNSKEY record
  - accessible by DNSSEC clients to verify validity of signed RRSETs
‼️ DNSSEC validates whole RRSETs (not individual records)!
- The zone signs every RRSET using its private ZSK
- RRSET signatures stored in Resource Record Signature (RRSIG) records inside the zone
- ❗ If an RRSET changes, its RRSIG needs to be regenerated with the private ZSK
  - otherwise, DNSSEC tells clients that the RRSET is not valid
When querying a zone's records:
- DNS-only clients receive the requested RRSET
- DNSSEC clients receive the requested RRSET and its associated RRSIG
  - ❗ clients can use public ZSK to verify RRSIG and its corresponding RRSET are valid
  - Data integrity protection → infrastructure is robust vs DNS cache poisoning
Summary diagram: https://github.com/acantril/aws-sa-associate-saac03/blob/main/0400-TECH_FUNDAMENTALS/00_LEARNINGAIDS/DNSSEC101-4.png

If the ZSK is used to sign all records in the zone, how do we trust the ZSK?
- ❗ There is a RRSET in the zone (the DNSKEY RRSET) that is signed by a different key!
🔧 Every DNS zone has a Key Signing Key (KSK) pair
- Private KSK: kept safe (offline)
  - used to sign the DNSKEY record of the zone
- Public KSK: kept inside the zone's DNSKEY record
  - accessible by DNSSEC clients to verify validity of DNSKEY’s RRSIG
  - ❗ trusted by the parent zone (a hash of it is stored in the parent zone's DS record)
DNSKEY records: store public keys that can verify all RRSIGs in the zone
- Flag 256 = public ZSK
- Flag 257 = public KSK
‼️ ZSK and KSK are NOT the same!!
- ZSK used to generate and verify all RRSIGs in the zone except the RRSIG for DNSKEY
- KSK used to generate and verify the RRSIG of the DNSKEY record in the zone